Exposed: Dutch internet providers retained metadata for illegal ads

Unauthorized global surveillance has had everyone’s outrage directed at the NSA. But a recent revelation by the Dutch sheds light on how Europe’s own otherwise forgotten data retention law was systematically abused by its telecom and internet providers.

Following a freedom of information request, Dutch digital rights
organization Bits of Freedom publicizes a report, which details
an exposing study into activities of local telecommunication
operators and ISPs.

Though the study was concluded all the way back in April 2012, it
has failed to lead to the prosecution of all parties guilty of
misusing user metadata and abusing data retention directives by
illegally advertising to their customers, the group says.

The report by the Radiocommunications Agency of the Dutch
Ministry of Economic Affairs revealed that, following a mandatory
survey of internet and telecom providers, at least 40 out of 229
companies who participated, used people’s meta-data "solely
for purposes other than the legally permitted processing
goals.”

Technology media, events and research company, International Data
Group (IDG), wrote that the number would be even greater if it
included companies that admitted to both legal and illegal use of
the data, stipulated in the European Commission’s Data Retention
Directive of 2006.

According to the government report, any use of private
information for purposes other than billing requires the provider
to obtain user consent, which that user may withdraw at any time.
However, only 147 companies of the 229 surveyed had admitted to
asking.

The EC website details the law as requiring “operators
to retain certain categories of data (for identifying users and
details of phone calls made and emails sent, excluding the
content of those communications) for a period between six months
and two years and to make them available, on request, to law
enforcement authorities for the purposes of investigating,
detecting and prosecuting serious crime and terrorism.”

The Netherlands’ own version of the directive was passed in 2009
and required telecom providers to store metadata for up to a
year, and six months for their internet counterparts.

The government radio-com agency’s spokeswoman, Mariel Van Dam,
explained that because the law was still fresh at the time, the
findings of the agency’s study were played down and nothing came
of them. "We said that we should give the companies a chance
to comply with the law."

A follow-up study currently being conducted should pick up where
the previous one left off, with results expected no later than
2014. That is the point the communications agency plans to start
actually enforcing the law.

A maximum fine of 250,000 euro ($339,000) will be instituted, Van
Dam said.

Bits of Freedom is presently calling for an end to the data
retention law, for fear of its misuse by communications providers
and the government alike. They are firstly asking the EU to lower
its mandatory time frames for information storage and, in the
end, to abolish data retention across the continent as a whole.

However, only the European Commission can decide that, meaning
the Dutch really have no power over how the law affects their
country.

European Digital Rights (EDRi), an organization dedicated to
promoting civil and privacy laws, joined the chorus. Its
executive director, Joe McNamee said in an email to the IDG that
"It is nothing less than disgraceful that the European
Commission has repeatedly taken Member States to court for
failing to implement the Directive, but has not lifted a finger
to take action when the Directive was implemented in ways that
undermined the fundamental rights of European Citizens."

This attention given to Europe’s information retention law comes
very shortly after, across the Atlantic Ocean, Google was
embroiled in its own scandal and getting pummeled with a
combination of lawsuits against its Maps and Gmail services. The
latter assumed that utilizing user data to compile user-specific
advertising is not an invasion of their privacy.